Introduction

dnstap is a flexible, structured binary log format for DNS software. It uses Protocol Buffers to encode events that occur inside DNS software in an implementation-neutral format.

Currently dnstap can only encode wire-format DNS messages. It is planned to support additional types of DNS log information.

Server-side dnstap support is included in the Knot DNS authoritative nameserver as of version 1.5.0 and in the Unbound recursive DNS server as of version 1.5.0. It is planned to develop dnstap support for additional DNS servers and other kinds of DNS software.

A standalone command-line tool for receiving and decoding dnstap log messages is also being worked on. Check out this example output from the dnstap command to get an idea of the kind of information that dnstap can encode.

The current development trees can be found on the Source page.

Presentations

dnstap-whoami: one-legged exfiltration of resolver queries. Slides. Presented in October 2015 at the OARC 2015 Fall Workshop by Robert Edmonds in Montréal.

Passive DNS Collection and Analysis: The 'dnstap' (& fstrm) Approach. Slides. Presented in December 2014 at Verisign Labs by Paul Vixie and Robert Edmonds in Reston, VA.

dnstap: brief intro and update. Slides. Presented in June 2014 at NANOG 61 by Merike Kaeo in Bellevue, WA.

dnstap: introduction and status update. Slides. Presented in May 2014 at the OARC 2014 Spring Workshop by Robert Edmonds in Warsaw.

dnstap: high speed DNS logging without packet capture. Presented in April 2014 at FIRST TC by Jeroen Massar in Amsterdam.

dnstap: high speed DNS logging without packet capture. Slides. Presented in April 2014 at APWG eCrime Researchers Sync-Up IV by Jeroen Massar in Oberammergau, Germany.

dnstap: high speed DNS logging without packet capture. Slides. Video. Tutorial. Presented in February 2014 at NANOG 60 by Robert Edmonds in Atlanta.

Passive DNS Collection and Analysis: The 'dnstap' Approach. Slides. Presented in January 2014 at FloCon 2014 by Paul Vixie in Charleston, SC.

dnstap: high speed DNS server event replication without packet capture. Slides. Presented in June 2013 by Robert Edmonds.

Community

There is a mailing list for everyone interested in discussing dnstap.

Source code, website code, and presentation material is being hosted on GitHub.